Closed kulbhushanchand closed 5 years ago
kulbhushanchand
commented
5 years ago If you are using a crypto-currency related library and if you see flatmap-stream@0.1.1 after running npm ls event-stream flatmap-stream, you are most likely affected.
Update - Minimal mistakes shows flatmap-stream@0.1.0 and not using any crypto-currency related library, So may be not affected. 🤔
mmistakes
commented
5 years ago I don't think we have to do anything. Looks like NPM has removed the malicious version.
> npm ls event-stream flatmap-stream
minimal-mistakes@4.14.1 \minimal-mistakes
`-- npm-run-all@1.8.0
`-- ps-tree@1.1.0
`-- event-stream@3.3.4Regardless I updated the NPM dependencies used as part of the build:js scripts when developing the theme. They were quite old.
Doing so, looks like event-stream is no longer used so we should be in the clear now.
> npm ls event-stream flatmap-stream
minimal-mistakes@4.14.1 \minimal-mistakes
`-- (empty)
By the time this issue was filed, GitHub may have reporter you about the recent security vulnerability detected in a npm script -
event-streamflatmap-stream.Here is the screenshot about my website using minimal-mistakes theme -
To know in detail -
Possible solution - We may need to revert back to previous version of script.